diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml
new file mode 100644
index 000000000..aa5045940
--- /dev/null
+++ b/.github/codeql/codeql-config.yml
@@ -0,0 +1,56 @@
+name: "Hyperframes CodeQL config"
+
+# Use GitHub's default security-extended suite — it's a strict superset of the
+# default suite (more queries, slightly higher false-positive rate). Pair it with
+# the query-filters below so the extra queries don't drown the dashboard.
+queries:
+  - uses: security-extended
+
+# Per-rule path filters. The intent is to silence rules that have known false
+# positives on specific file shapes (generated test artifacts, CDN-script test
+# fixtures, functional-cleanup regex) WITHOUT excluding those paths from all
+# analysis — a malicious contributor adding e.g. a command-injection sink into
+# a "test fixture" would still get caught.
+#
+# To audit what changed: look at PR diffs touching this file. Reviewers should
+# treat it like CODEOWNERS — adding a new path exclusion is a policy change.
+query-filters:
+  # Generated test artifacts (golden baselines written by the producer test
+  # harness). Every compiled.html re-rasterizes the regex-stripped composition;
+  # the same alerts fire on every fixture and on every re-render.
+  - exclude:
+      id: js/incomplete-sanitization
+      paths:
+        - "packages/producer/tests/**/output/compiled.html"
+        - "packages/producer/tests/**/failures/*.html"
+
+  # Test fixtures and skill test corpora intentionally load CDN scripts without
+  # SRI — pinning hashes there would fight the test's purpose (we want the test
+  # to use whatever the registry hands back, the same way a composition would).
+  - exclude:
+      id: js/functionality-from-untrusted-source
+      paths:
+        - "packages/producer/tests/**"
+        - "skills/**/test-corpus/**"
+        - "skills/**/assets/test-corpus/**"
+
+  # The hand-rolled HTML cleanup regex in our build-time tooling looks like a
+  # sanitizer to CodeQL but isn't one — it strips framework bootstraps from
+  # captured pages before they're fed back into our own renderer (Puppeteer,
+  # not a user-facing DOM). Same for the text normalizer in the whisper path
+  # (caption text → SRT/VTT, no DOM emission). Scope these exclusions to the
+  # exact files that contain functional regex, not to whole directories, so
+  # any new code in cli/, core/, or producer/ that LOOKS like a sanitizer
+  # still trips the rules.
+  - exclude:
+      id: js/bad-tag-filter
+      paths:
+        - "packages/cli/src/capture/index.ts"
+        - "packages/cli/src/whisper/normalize.ts"
+        - "packages/core/src/lint/utils.ts"
+        - "packages/producer/src/services/htmlCompiler.ts"
+  - exclude:
+      id: js/incomplete-multi-character-sanitization
+      paths:
+        - "packages/cli/src/capture/index.ts"
+        - "packages/cli/src/whisper/normalize.ts"
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 000000000..efe505163
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,55 @@
+# CodeQL advanced setup. Replaces GitHub's default code-scanning setup; the
+# repo must have default setup disabled in Security → Code scanning → "Set up"
+# before this workflow can run.
+#
+# Languages were taken from the existing default-setup config (JS/TS, Python,
+# Actions). Triggers mirror what default setup ran: push to main, every PR
+# against main, and a weekly schedule.
+#
+# The rules and path filters live in .github/codeql/codeql-config.yml so policy
+# changes show up as a normal PR diff.
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    # Mondays at 14:39 UTC — matches the cadence default setup was running on.
+    - cron: "39 14 * * 1"
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - language: actions
+            build-mode: none
+          - language: javascript-typescript
+            build-mode: none
+          - language: python
+            build-mode: none
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
+        with:
+          languages: ${{ matrix.language }}
+          build-mode: ${{ matrix.build-mode }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@7fd177fa680c9881b53cdab4d346d32574c9f7f4 # v3
+        with:
+          category: "/language:${{ matrix.language }}"